IE8 CButton Object Use-After-Free Vulnerability

Windows XP SP3

IE 8.0.6001.18702


gflags.exe /i iexplore.exe +hpa +ust

windbg 실행 

windbg.exe -g -G -o "C:\Program Files\Internet Explorer\IEXPLORE.EXE"

(200.e54): Access violation - code c0000005 (first chance)

First chance exceptions are reported before any exception handling.

This exception may be expected and handled.

eax=0bbb0fa8 ebx=05f34f30 ecx=00000052 edx=00000000 esi=00000000 edi=0bbb0fa8

eip=637848ae esp=0391f838 ebp=0391f8a4 iopl=0         nv up ei pl nz na po nc

cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202


637848ae 8b07            mov     eax,dword ptr [edi]  ds:0023:0bbb0fa8=????????

1:028> !heap -p -a edi

    address 0bbb0fa8 found in

    _DPH_HEAP_ROOT @ 141000

    in free-ed allocation (  DPH_HEAP_BLOCK:         VirtAddr         VirtSize)

                                    bab7248:          bbb0000             2000

    7c957553 ntdll!RtlFreeHeap+0x000000f9

    639943ef mshtml!CButton::`vector deleting destructor'+0x0000002f

    63628a50 mshtml!CBase::SubRelease+0x00000022

    63640d1b mshtml!CElement::PrivateRelease+0x00000029

    6363d0ae mshtml!PlainRelease+0x00000025

    63663c03 mshtml!PlainTrackerRelease+0x00000014

    633a10b4 jscript!VAR::Clear+0x0000005c

    6339fb4a jscript!GcContext::Reclaim+0x000000ab

    6339fd33 jscript!GcContext::CollectCore+0x00000113

    63405594 jscript!JsCollectGarbage+0x0000001d

    633a92f7 jscript!NameTbl::InvokeInternal+0x00000137

    633a6650 jscript!VAR::InvokeByDispID+0x0000017c

    633a9c0b jscript!CScriptRuntime::Run+0x00002989

    633a5ab0 jscript!ScrFncObj::CallWithFrameOnStack+0x000000ff

    633a59f7 jscript!ScrFncObj::Call+0x0000008f

    633a5743 jscript!CSession::Execute+0x00000175


1:028> kv

ChildEBP RetAddr  Args to Child              

0391f8a4 635c378b 06221fc0 05c8c6bc 05c8c6a8 mshtml!CMarkup::OnLoadStatusDone+0x4ef

0391f8c4 635c3e16 00000004 0391fd4c 00000000 mshtml!CMarkup::OnLoadStatus+0x47

0391fd10 636553f8 06223f48 00000000 00000000 mshtml!CProgSink::DoUpdate+0x52f

0391fd24 6364de62 06223f48 06223f48 05c9ed58 mshtml!CProgSink::OnMethodCall+0x12

0391fd58 6363c3c5 0391fde0 6363c317 00000000 mshtml!GlobalWndOnMethodCall+0xfb

0391fd78 77cf8734 001103e0 00000009 00000000 mshtml!GlobalWndProc+0x183

0391fda4 77cf8816 6363c317 001103e0 00008002 USER32!InternalCallWinProc+0x28

0391fe0c 77cf89cd 00000000 6363c317 001103e0 USER32!UserCallWinProcCheckWow+0x150 (FPO: [Non-Fpo])

0391fe6c 77cf8a10 0391fe94 00000000 0391feec USER32!DispatchMessageWorker+0x306 (FPO: [Non-Fpo])

0391fe7c 026a2ec9 0391fe94 00000000 01cb8f58 USER32!DispatchMessageW+0xf (FPO: [Non-Fpo])

0391feec 026448bf 04470808 0040128e 030aeff0 IEFRAME!CTabWindow::_TabWindowThreadProc+0x461 (FPO: [Non-Fpo])

0391ffa4 5de05a60 01cb8f58 7c817067 0391ffec IEFRAME!LCIETab_ThreadProc+0x2c1 (FPO: [Non-Fpo])

0391ffb4 7c80b713 030aeff0 0040128e 7c817067 iertutil!CIsoScope::RegisterThread+0xab (FPO: [Non-Fpo])

0391ffec 00000000 5de05a52 030aeff0 00000000 kernel32!BaseThreadStart+0x37 (FPO: [Non-Fpo])

실행시 crash가 발생하는데 메모리 해제된 CButton의 객체를 참조하여 생기게 된다. 그리고 edi가 참조하는 값을 eax에 넣고 [eax+0xdc]를 call한다. (vtable을 참조해서 call하는 구조이다.)

637848a9 e9ce44e5ff      jmp     mshtml!CLinePtr::GetAdjustedLineLength+0x12b (635d8d7c)

637848ae 8b07            mov     eax,dword ptr [edi]  ds:0023:0bbb0fa8=????????

637848b0 57              push    edi

637848b1 8975b0          mov     dword ptr [ebp-50h],esi

637848b4 8975c0          mov     dword ptr [ebp-40h],esi

637848b7 8975c8          mov     dword ptr [ebp-38h],esi

637848ba 8975c4          mov     dword ptr [ebp-3Ch],esi

637848bd 8975cc          mov     dword ptr [ebp-34h],esi

637848c0 8975d0          mov     dword ptr [ebp-30h],esi

637848c3 ff90dc000000    call    dword ptr [eax+0DCh]

637848c9 56              push    esi

637848ca 6837fdffff      push    0FFFFFD37h

637848cf 56              push    esi

- CButton 생성시 HeapAlloc하는 부분

- CButton HeapFree하는 부분

아래와 같이 bp를 걸어 Cbutton의 heap 주소 영역을 확인해 보면 확실하게 UAF 버그임을 알 수 있으며 edi 레지스터 값은 CButton 객체의 주소라는 것도 알 수 있다.

sxe ld:mshtml

bp 0x639944f7 ".printf \"Created CButton at %p\", eax;.echo;g";

bp 0x639943e9 ".printf \"Deleting CButton at %p\", esi;.echo;g"

1:029> bp 0x639944f7 ".printf \"Created CButton at %p\", eax;.echo;g";bp 0x639943e9 ".printf \"Deleting CButton at %p\", esi;.echo;g"

1:029> g

ModLoad: 63580000 63b2c000   C:\WINDOWS\system32\mshtml.dll

eax=00000000 ebx=00000000 ecx=01e70000 edx=7c93e4f4 esi=00000000 edi=00000000

eip=7c93e4f4 esp=0012877c ebp=00128870 iopl=0         nv up ei ng nz ac pe nc

cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000296


7c93e4f4 c3              ret

2:039> g

Created CButton at 0b8f9fa8

Deleting CButton at 0b8f9fa8

(47c.638): Access violation - code c0000005 (first chance)

First chance exceptions are reported before any exception handling.

This exception may be expected and handled.

eax=0b8f9fa8 ebx=05fbaf30 ecx=00000052 edx=00000000 esi=00000000 edi=0b8f9fa8

eip=637848ae esp=0391f838 ebp=0391f8a4 iopl=0         nv up ei pl nz na po nc

cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202


637848ae 8b07            mov     eax,dword ptr [edi]  ds:0023:0b8f9fa8=????????

또 html코드에 디버깅용으로 Math.atan2를 넣어 crash 발생 지점을 찾을 수 있다. 실행 결과 atan2 코드가 모두 실행 된후 crash가 발생 했는데 onload함수에서 helloWorld() 코드를 실행 시킨 이후에 CButton객체를 참조하는 것으로 알 수 있다.

sxe ld:jscript

bp jscript!JsAtan2 ".printf \"%mu\", poi(poi(poi(esp+14)+8)+8);.echo;g"

1:024> bp jscript!JsAtan2 ".printf \"%mu\", poi(poi(poi(esp+14)+8)+8);.echo;g"

1:024> g

Symbol search path is: SRV*C:\WebSymbols*

Executable search path is: 

ModLoad: 63380000 63434000   C:\WINDOWS\system32\jscript.dll

eax=00000000 ebx=00000000 ecx=012b0000 edx=7c93e4f4 esi=00000000 edi=00000000

eip=7c93e4f4 esp=0012dd70 ebp=0012de64 iopl=0         nv up ei ng nz ac pe nc

cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000296


7c93e4f4 c3              ret

2:034> g

before get element a

before get element b

before create element q

before apply element e1(b) -> e2(q)

before appendChild create element button

before applyElement e1 -> e0

before e2 outertext

before e2 appendChild createElement body

All done inside try loop

collecting garbage

Done collecting garbage

(dc4.8ac): Access violation - code c0000005 (first chance)

First chance exceptions are reported before any exception handling.

This exception may be expected and handled.

eax=0af4afa8 ebx=05f3cf30 ecx=00000052 edx=00000000 esi=00000000 edi=0af4afa8

eip=637848ae esp=0391f838 ebp=0391f8a4 iopl=0         nv up ei pl nz na po nc

cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202


637848ae 8b07            mov     eax,dword ptr [edi]  ds:0023:0af4afa8=????????